fs: cbfs: Fix out of bound access during CBFS walking through
authorBin Meng <bmeng.cn@gmail.com>
Sat, 22 Dec 2018 09:55:49 +0000 (01:55 -0800)
committerBin Meng <bmeng.cn@gmail.com>
Mon, 31 Dec 2018 01:42:41 +0000 (09:42 +0800)
The call to file_cbfs_fill_cache() is given with the parameter
'start' pointing to the offset by the CBFS base address, but
with the parameter 'size' that equals to the whole CBFS size.
During CBFS walking through, it checks files one by one and
after it pass over the end of the CBFS which is 4GiB boundary
it tries to check files from address 0 and so on, until the
overall size the codes checked hits to the given 'size'.

Fix this by passing 'start' pointing to the CBFS base address.

Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
fs/cbfs/cbfs.c

index e9433252972edeb16bb8e2f466d87852c5167768..7b2513cb24bf4683e018a9ac24ebd47f3bb71f93 100644 (file)
@@ -189,8 +189,8 @@ void file_cbfs_init(uintptr_t end_of_rom)
 
        start_of_rom = (u8 *)(end_of_rom + 1 - cbfs_header.rom_size);
 
-       file_cbfs_fill_cache(start_of_rom + cbfs_header.offset,
-                            cbfs_header.rom_size, cbfs_header.align);
+       file_cbfs_fill_cache(start_of_rom, cbfs_header.rom_size,
+                            cbfs_header.align);
        if (file_cbfs_result == CBFS_SUCCESS)
                initialized = 1;
 }